• ryannathans
      link
      fedilink
      arrow-up
      6
      ·
      9 months ago

      Doesn’t really matter with them being non unique. Multiple people can have the same username, there’s a randomly generated number that goes with it

      • rdyoung@lemmy.world
        link
        fedilink
        arrow-up
        13
        arrow-down
        2
        ·
        edit-2
        9 months ago

        Probably because some people tend to pick user names that identify them in some way. Take me for example, I have a few names I go by but this username is definitely helpful in identifying me. I use it on the other place, a couple of emails, discord, telegram, etc. I don’t feel the need to be as anon as possible (no shade on those who do) so I main this one. I have a few others that I have been known to use and those are mainly for things that I don’t want easily connected back to me.

        • akilou@sh.itjust.works
          link
          fedilink
          arrow-up
          5
          arrow-down
          2
          ·
          9 months ago

          You shouldn’t be forced to be anonymous. If you want to pick the same username, you should be able to. But even so, there’s still a required number at the end. So unless your username elsewhere ends in 2 digits and isn’t already taken, then you can’t pick it anyway

          • Otter@lemmy.ca
            link
            fedilink
            English
            arrow-up
            5
            ·
            9 months ago

            The best compromise might be similar to how it works currently

            Right now you enter your username, and then a number is randomly generated but you can change it manually.

            Randomly generate both, and allow the user to change both

          • rdyoung@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            edit-2
            9 months ago

            It’s not about forcing anyone to be anonymous. I’m not OP here but I kind of agree. Maybe signal should default to a randomized one with a blurb about safety, anonymity, etc but let you create your own if you want.

            Again. My personal view isn’t to force random usernames on people but to maybe educate them on this stuff. Also, there are legit reasons why you should have non identifying usernames even if it’s not how the world should work. There are enough nutters out there who may recognize something in someones name that links them to someone they know offline and people are nucking futz. I can tell you stories I’ve heard from my clients that you would believe but don’t want to.

            Oh and for the numbers, that can be even more identifying because people tend to use numbers that mean something to them. I have a variation on this name that includes my birth year in 2 digits. If I was posting things online that close family might have a problem with, it wouldn’t be hard to do to the math and identify me that way.

      • olicvb@lemmy.ca
        link
        fedilink
        English
        arrow-up
        9
        ·
        9 months ago

        guessing it would mean that people wont be using the same username as they do on every other account. So if doodlebop69 can’t be traced from signal they could go to google and find the same doodlebop69 to grab their information from

        • akilou@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          9 months ago

          But doodlebug69 needs to accept a message from you before you can see their profile info.

          • Baguette@lemmy.ml
            link
            fedilink
            arrow-up
            4
            ·
            9 months ago

            They have the username already, they don’t need to see their profile info to search for a username

    • pedroapero@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      It generated a suffix of two digits when I tried (you can set it explicitely but it is mandatory).

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    14
    ·
    9 months ago

    This is the best summary I could come up with:


    Based on a phone number, the federal prosecutors were asking for the user’s name, address, correspondence, contacts, groups, and call records to assist with an FBI investigation.

    Whenever Signal receives a properly served subpoena, they work closely with the American Civil Liberties Union to challenge and respond to it, handing over as little user data as possible.

    Whittaker stressed that this is “a pretty narrow pipeline that is guarded viciously by ACLU lawyers,” just to obtain a phone number based on a username.

    Signal’s leadership is aware that its critics’ most persistent complaint is the phone number requirement, and they’ll readily admit that optional usernames are only a partial fix.

    She gave an example of a person who faces severe threats and normally maintains vigilance but whose mother is only on WhatsApp because she can’t figure out the numberless Signal.

    Signal engineers have discussed possible alternatives to phone numbers that would maintain that friction, including paid options, but nothing is currently on their road map.


    The original article contains 1,894 words, the summary contains 165 words. Saved 91%. I’m a bot and I’m open source!

  • ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    9 months ago

    just two pieces of data: the date the target Signal account was created, and the date that it last connected to the service.

    And how does Usernames help here? Should be the same 2 data Points and not more?

    • BakedCatboy@lemmy.ml
      link
      fedilink
      English
      arrow-up
      17
      ·
      9 months ago

      The idea is that you change or remove your username after someone else starts a conversation with you, so the username can no longer be used to subpoena your account details.

      Put another way, signal is able to provide those 2 pieces of information to law enforcement based on a phone number. This helps you to prevent law enforcement having a phone number to ask signal to look up in the first place, assuming you change your username every time you hand it out.

      They also hash the usernames that they store on your account which means law enforcement can’t ask what usernames are being used, only being able to ask for specific usernames which are currently in use.

      • LWD@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        9 months ago

        I understand that right now LEA can serve up a subpoena and give Signal a username and get a phone number, but they can’t give them a phone number and get a username.

        Is it also possible for Signal to keep track of past usernames/associated hashes for a particular phone number?

        (For comparison, Signal could record IP addresses, but we trust they don’t due to unsealed cases. Could they keep a username history?)

        • BakedCatboy@lemmy.ml
          link
          fedilink
          English
          arrow-up
          5
          ·
          9 months ago

          Yes it entirely depends on whether they store previously used usernames along with the date range it was in use (to tell apart multiple people who used the same username at different times)

          We’ll have to see if any unsealed cases in the future support that they don’t keep those records like how they don’t keep IP logs, but personally their track record is enough for me to have confidence in the feature, especially since my “threat model” is primarily opportunistic hackers or spearphishers at most, not police or state / nation state level actors.

    • zaph@sh.itjust.works
      link
      fedilink
      arrow-up
      13
      arrow-down
      1
      ·
      9 months ago

      My phone number is registered to my phone carrier under my real name. My username is not. Unless I’ve misunderstood the question.

    • Natanael@slrpnk.net
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      9 months ago

      They don’t track username history and don’t have a server side list of plaintext usernames, and others can’t find your phone number from the username alone. That makes it harder to confirm which account is yours.

    • rdyoung@lemmy.world
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      9 months ago

      Iirc from the last time this article or similar was posted, it’s about how warrants are issued. It’s the username versus phone number not username versus or and/or other data points. Anything more than that I am still unclear about.

  • xor@infosec.pub
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    9 months ago

    still waiting for this to roll out on ios…
    edit: nevermind, it updated